1

IT Securitymade in Europe

Competence Series

IT Security for Smart Metering & SCADA systems

3

1. Smart MeteringSmart Metering describes the process of the computer-aided transmission of data from intelligent electric meters, associated control processes and the sum of IT systems necessary for these operations.

Besides straightforward electric meter functions, smart meter devices also collect detailed consumption data, send and receive process data and can also interrupt the power supply to a customer based on a received control command.

The Electricity Directive in the EU’s Third Internal Energy Market Package states that 80% of EU households must be equipped with smart meters by 20201.

1.1. Current situation

The introduction of smart metering brings with it a wealth of completely new potential risks for economies, energy suppliers and consumers, as it consists of complex IT systems that communicate at various levels with various protocols. Smart meters represent the lowest level structure of these networks. At the same time they represent the largest number of devices which also operate in uncontrollable environments (private households, commercial establishments, etc.). Smart meters are small computer systems and, as such, they are exposed to potential attacks. Attackers could manipulate individual smart meters to cut individual customers off from the power supply or, in the worst case scenario, could cause large-scale disruption to energy supply networks. It is estimated that the consequences of these failures would be catastrophic2 and energy providers are therefore highly concerned about the likelihood of being the starting point for these attacks and being held to account for the subsequent consequences.

1.2. Particularly sensitive data flows and data

The focus of the considerations here is on the usage of smart meters specifically within private households, as this area in a smart grid (an intelligent electricity grid) is the physically most widely distributed and least control-lable component.

4

Cases of application in this area which are relevant to IT security include the acquisition and transmission of data concerning energy consumption and end users’ access to this information via a web portal operated by the energy supplier; utility companies’ or operators’ remote access to measuring points for maintenance, updates, patches and also for connection or disconnection of the power supply, for detection of failures of the current flow or of the communications technology; provision of information on consumption possibly linking to a more flexible pricing system for private households, or detailed information provision to link consumption data with price information for the energy supplier’s billing purposes.

In addition, the involved parties may save or send each other data including control data, mapping data/IDs/ counter numbers, billing/personal account information, maintenance data and status data such as, for example, storage capacity or alert messages in the case of outages.

The parties involved include not only private households and utilities. In fact, there is a network of relationships between various roles and the parties involved comprise operators of communication networks as well as operators of distribution networks, manufacturers of smart meter devices, operators of measuring points and measuring service providers.

The focus of the security requirements is the confidentiality and data protection of personal data/data related to households with regard to access by third parties and unauthorised personnel at energy suppliers and their ser-vice providers. In addition, the data authenticity, integrity and currency of all processed and stored data must be secured. Integrity requirements for the IT systems, including smart meters, must also be considered. Ultimately, these security requirements have an impact on the correct energy supply not only to individual households but to whole groups of customers.

1.3. Risk scenarios in a smart metering environment

The extensive complexity of IT systems and the multi-dimensional information exchange between the involved parties form the basis for new potential risks in the energy sector, an industry which has previously had as its top priority the stability and security of the energy supply.

The complexity of the interaction of different agencies, coupled with the complexity of the structure of the IT systems and the increase in functionality and direct control options means that more potential entry points exist for attackers.

5

The types of threats are diverse. They range from attacks with financial or sabotage motives to malware, zero-day attacks, botnets, denial of service, distributed denial of service to complex advanced persistent threats that could be purposefully used to take over the PC workstations of staff in smart metering environments.

Here are some examples:

Risk scenario 1 The web portal of an energy supplier serves to supply customers with smart meters with a central point to view information on their current energy consumption, and for some customers with a prepayment contract it also provides functions for processing payments. Personal data as well as current and historical consumption data are available after successful login.

An attacker could exploit a vulnerability of the web portal and gain administrative access to the underlying database, bypassing all authentication methods. Customer data including billing information, addresses and consumption data from smart meters could be stolen.

Risk scenario 2 Central IT systems in the core infrastructure of the energy supplier enable the management and control of smart meter systems. These special control systems are used to send shutdown commands to smart meters.

An attacker could gain access to these central IT systems and initiate a large-scale shutdown that could lead to a destabilisation of the energy supply.

Risk scenario 3 All levels of the smart metering infrastructure from the actual smart meters to the customer web portal are con-nected to each other via various communication levels. At the lowest level, between smart meters and the over-lying control systems (so-called “concentrators”) communication takes place via special protocols, at the levels above with Ethernet data connections.

An attacker could try to get access to smart meters in their immediate environment or via the overlying concen-trators or other control or management systems via a malicious smart meter or via a communication path.This could result in the destabilisation of smart meters or other connected IT systems. Furthermore, it may be possible to copy control commands to smart meters and reuse them with malicious intent.

6

Risk scenario 4 The staff administrative PC workstations for the management of smart metering core systems usually have inter-net access. New vulnerabilities become apparent every day. These vulnerabilities are able to infect a workplace when a completely innocent-looking website is visited. Users are unable to detect the risk and even existing security measures such as firewalls or anti-virus software are unable to detect or eliminate this risk.

In this way, central administrative PCs might be infected with malicious software, which then could be used to obtain passwords to access the smart metering core system environment. After obtaining these passwords, attackers could freely make changes to control systems and equip themselves with far-reaching permissions, or they could start a programme of blackmail involving the threat of actions with potentially catastrophic conse-quences.

2. SCADA SystemsSCADA3 refers to the monitoring and controlling of technical processes by means of computer systems. Examples include power plants, power transmission systems and complex production processes at chemical companies, in petroleum processing or in automotive manufacturing.

SCADA computer systems in the energy sector are usually operated in stand-alone network segments and are physically separated from other networks where possible.

2.1. Current situation

SCADA systems are extremely vulnerable to hacker attacks because of their particular characteristics: basic systems usually have very long life cycles and the software environments are infrequently provided with security updates. In addition, SCADA systems often respond with system failures when too many data packages are received via the network even when this data is sent legitimately.

Experience demonstrates that even a small disruption of the usual communication package amount is sufficient to provoke large-scale failures or generate instabilities in power supply networks.

7

The consequences of an attack on a SCADA system become apparent when viewed in relation to the sophisti-cated computer worm Stuxnet. Stuxnet attacked the Siemens industrial systems in the typical configuration for nuclear centrifuges. The target was the Siemens Simatic S7, a system used in industrial plants to monitor and control industrial processes. Stuxnet put thousands of centrifuges used to enrich uranium out of service.

2.2. Risk scenarios in a SCADA environment

The focus of SCADA systems on stability and long-term use typically makes them a very simple target. Attacks may have catastrophic effects and can often not be detected with current security software.

Here are some examples:

Risk scenario1 The staff administrative PC workstations for the management of SCADA systems usually have internet access. Similar to the risk scenario for smart metering, new vulnerabilities become apparent every day and these vulner-abilities are able to infect a workplace when a completely innocent-looking website is visited. Users are unable to detect the risk and even existing security measures such as firewalls or anti-virus software are unable to detect or eliminate this risk.

In this way, administrative PCs might be infected with malicious software and SCADA systems may be manipu-lated.

Risk scenario 2 Maintenance technicians in the power plant environment often have free access and can freely connect to the SCADA network. This means that all security measures, which should serve to deny third-party devices access, are bypassed.

If a service technician’s laptop is infected with a malicious program, it could be distributed freely, in particular due to the potentially extremely poor patch level of the SCADA control systems.

Since SCADA systems might react to simple communication requests to the network (“ping”) by crashing, mali-cious software in SCADA systems could cause massive damage, whilst at the same time being very difficult to detect.

8

3. IT Security for Smart Metering & SCADA systems: a conceptual frameworkThe variety of particularly sensitive data flows and data on the one hand and the variety of entry points for attackers on the other hand demonstrate the need for an ultra-modern, sophisticated and always-on IT security monitoring system.

Building up the highest possible defence layers by means of firewalls does not sufficiently protect IT landscapes with, for example, devices that are physically distributed across the whole country. Individual security products always cover very specific, very narrowly defined security issues. However, attackers simply concentrate on the discovery of new vulnerabilities or configuration errors. The complexity of attacks is therefore increasing rapidly and companies are struggling to keep up with defence strategies.

The focus of security measures should therefore be on continuous IT security monitoring and risk detection. If an energy supplier is able to continuously monitor large IT systems for anomalies and possible entry points for at-tacks, they will be able to react quickly and precisely to actual attacks. There is a wide range of security products available which are designed to perform these tasks. When in use, however, the challenge is to ensure the specifically correct selection and configuration of these tools, and the constant necessary adjustments, as well as the correct interpretation of the results. An effective level of protection based on automated risk identification software therefore entails the continuous availability of highly-skilled and specialised experts.

Due to the current global discussion about the exchange of data between the private sector and government institutions on the one hand4 and the possible political dimensions of attacks on operators of critical infrastruc-tures5 on the other hand, there is a need for a critical evaluation of the use of IT security products or services with actual or potential data transfer across the EU’s external borders. There is no longer any way to monitor the processing, storing or dissemination of this data and it is impossible to prevent anything from happening to the data under various different legal systems.

9

4. RadarServices’ offerings for secure Smart Metering & SCADA systemsEnergy suppliers and SCADA system operators and their service providers are aware of the fact that IT security management tasks and expectations will grow tremendously in future. It is essential to find a way to solve these tasks both effectively and efficiently.

RadarServices is an experienced service provider for IT security monitoring and IT risk management in the critical infrastructure sector and for companies with a large volume of highly sensitive, personal information such as banks and insurance companies. RadarServices continuously monitors the security of complex IT systems and identifies problems. Particularly important for its customers is the fact that RadarServices’ experts take over the necessary Risk & Security Intelligence Services, in addition to implementing the use of comprehensive tools for automated IT security monitoring. This ensures that the highly complex automated tools are used correctly at all times, they are continuously adjusted and results are correctly interpreted – and at the same time there is no additional burden on the internal staff resources of client companies.

RadarServices is the only company for IT Security Monitoring and IT Risk Management as Managed Services based in Europe. Moreover, in order to fulfil the responsibility this entails, RadarServices has developed processes that ensure that data never physically leaves a client company.

RadarServices offers a dedicated IT Security Monitoring service for Smart Metering & SCADA systems:

In a first step, automated IT security monitoring is done mainly using the following modules:

» SIEM (Security Information & Event Management): manages, analyses and correlates the various sources of security and log information of an IT infrastructure. Also known as Security Event Management (SEM).

» NIDS (Network-based Intrusion Detection): high performance analysis of the network traffic is used for signa-ture and behaviour-based detection of dangerous malware, anomalies and other network traffic risks. analyses the network communication of IT systems and recognises when risky data transfers, infiltration or takeover at-tempts of IT systems take place. Detects if potentially vulnerable software components communicate with the internet and run the risk of falling victim to a “drive-by” infection.

10

» Correlation Engine: correlates collected security-relevant information out of different systems and analyses them based on defined values, rules and directives or allowed and desired system behaviour.

The automated IT security monitoring is complemented in a second step by the work of Risk & Security Intel-ligence specialists:

This means the provision of essential tasks in the IT security monitoring process by experts. All security informa-tion analysed by these experts is provided to the client company in a consolidated form, so it can immediately be applied for the remediation process of an identified problem. The analysis and consolidation of collected data offers significant added value to a client company: the client’s employees do not have to consider count-less sources of information; they do not have to consult numerous producers of various security solutions and/or manufacturers of hardware or software. But they can start remediation processes for identified problems right away.

The high-quality findings on the current IT security status of a client company provided by RadarServices is reported in the Risk & Security Cockpit in detailed reports, as well as in the form of an alert in the case of an urgent threat situation.

Practical examples illustrate the use of the services:

Numerous interruption commands within a short period of time are sent in a smart meter network. At the same time, unusual data communication is sent by a server in the smart meter control network to an adminis-trator’s workstation, which in turn produces unusual data communication which is sent to a computer address abroad. RadarServices’ IT Security Monitoring detects the processes at different levels in the network. The Security Intelligence team and the operations team of the client company receive an alert. The Security Intel-ligence experts immediately analyse the problem and guide the client through the remediation process.

RadarServices detects SCADA command packages within the SCADA network, which arrive in too large num-bers at these sensitive control systems. Once a defined number is exceeded, an alert is sent by RadarServices to the team at the client company which allows them to react in time, before SCADA control systems crash. The alert includes essential information for the remediation process such as the origin of these potentially disruptive data packages.

11

1 http://www.e-control.at/de/marktteilnehmer/strom/smart-metering

2 http://dipbt.bundestag.de/dip21/btd/17/056/1705672.pdf

3 Supervisory Control and Data Acquisition

4 See e.g. Reuters: „Exclusive: Secret contract tied NSA and security industry pioneer“ 20.12.2013

http://www.reuters.com/article/2013/12/20/us-usa-security-rsa-idUSBRE9BJ1C220131220

5 The biggest and publicly well-known attack on SCADA systems “Stuxnet” was reported to have been developed by one

or more countries: see e.g.

Der Standard, 8.7.2013 http://derstandard.at/1371171972255/Snowden-Israel-und-NSA-stecken-hinter-Stuxnet

12

© 2015 RadarServices Smart IT-Security GmbH. FN371019s, Commercial Court Vienna, Austria. All rights and changes reserved. RadarServices is a registered trademark of RadarServices Smart IT-Security GmbH. All other product or company names are trademarks or registered trademarks of the respective owners.

Detecting Risk,Protecting Value

RadarServicesZieglergasse 61070 ViennaAustria

Phone: +43 (1) 929 12 71-0Fax: +43 (1) 929 12 71-710Email: sales@radarservices.com Web: www.radarservices.com

RadarServices is the European market leader for managed security services.

In focus: the early detection of IT security risks. Data never leaves a client’s company. The

services combine (1) cutting-edge technology developed in Europe, (2) the work of secu-

rity intelligence teams in Security Operations Centers (SOCs) globally and (3) documented

processes and best practices. The result: Highly effective and efficient improvement of

IT security and risk management, continuous IT security monitoring and an overview of

security-related information throughout the entire corporation.

RadarServices GermanyTaunustor 160310 Frankfurt a. M.

Phone: +49 (69) 2443424 655Email: sales_germany@radarservices.com

RadarServices Middle EastA110-1, DSO HQ BuildingDubai, VAE

Phone: +971 (4) 501 5447Email: sales_me@radarservices.com